Security for Vaadin FlowÂ
and lightweight REST
Pluggable authentication, authorization, and annotation-drivenÂ
protection — wired through Java SPI, no Spring or Jakarta required.
Annotation-Driven
Protect Vaadin views and REST handlers with @RequiresRole, @RequiresPermission, or your own meta-annotated marker. One scanner powers both adapters.
Framework-Neutral Core
security-core has no Vaadin, Servlet, or REST-framework dependencies. Adapters map a single decision model to navigation or HTTP status.
Java SPI by Design
Authentication, authorization, login flow, and access evaluators are plugged in via META-INF/services/. No XML, no annotations magic.
Hardened First-Run Bootstrap
The first administrator is created via a one-time token. POSIX 0600 file, atomic creation, PBKDF2-HMAC-SHA256, never logged, never echoed.
Granted / 401 / 403 — That's It
AuthorizationDecision collapses to three outcomes. REST adapters map them to status codes; Vaadin maps them to navigation. Error bodies are short and generic.
Reference Demos Included
Vaadin demo (mvn jetty:run) and a JDK-only REST demo with HTTP server, CLI client, and server-side filtered operation discovery.
Need help integrating it?
I offer focused consulting around Vaadin Flow security, SPI integration, and bootstrap hardening. If the library is useful to you and you’d like to support its development, sponsoring is welcome — individual contributions through GitHub Sponsors and dedicated arrangements for companies.